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DETAILED ACTION 

This office action is in response to application filed on June 30, 2003. Original 
application contained Claims 1-24. Therefore, presently Claims 1-24 are pending. 

Claim Rejections - 35 USC § 101 

1. 35 U.S.C. 101 reads as follows: 

Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or 
any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and 
requirements of this title. 

2. Claims 1-24 are rejected under 35 U.S.C. 101 because the claimed invention is directed 
to non-statutory subject matter. 

Claims 1-24 are rejected under 35 U.S.C. 101 based on Supreme Court precedent and 
recent Federal Circuit decisions, a 35 U.S.C § 101 process must (1) be tied to a particular 
machine or (2) transform underlying subject matter (such as an article or materials) to a different 
state or thing. In re Bilski et al, 88 USPQ 2d 1385 CAFC (2008); Diamond v. Diehr, 450 U.S. 
175, 184 (1981); Parker v. Flook, 437 U.S. 584, 588 n.9 (1978); Gottschalk v. Benson, 409 U.S. 
63, 70 (1972); Cochrane v. Deener, 94 U.S. 780,787-88 (1876). 

An example of a method claim that would not qualify as a statutory process would be a 
claim that recited purely mental steps. Thus, to qualify as a § 101 statutory process, the claim 
should positively recite the particular machine to which it is tied , for example by identifying the 
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apparatus that accomplishes the method steps, or positively recite the subject matter that is being 
transformed, for example by identifying the material that is being changed to a different state. 

Here, applicant's method steps are not tied to a particular machine and do not perform a 
transformation. Thus, the claims are non-statutory. 

The mere recitation of the machine in the preamble with an absence of a machine in the 
body of the claim fails to make the claim statutory under 35 USC 101 . Note the Board of Patent 
Appeals Informative Opinion Ex parte Langemyer et al. 



Claim Rejections - 35 USC § 102 

1 . The following is a quotation of the appropriate paragraphs of 35 U.S.C. 1 02 that form the 
basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(e) the invention was described in (1) an application for patent, published under section 122(b), by another filed 
in the United States before the invention by the applicant for patent or (2) a patent granted on an application for 
patent by another filed in the United States before the invention by the applicant for patent, except that an 
international application filed under the treaty defined in section 351(a) shall have the effects for purposes of this 
subsection of an application filed in the United States only if the international application designated the United 
States and was published under Article 21(2) of such treaty in the English language. 

2. Claims 1-24 are rejected under 35 U.S.C. 102(e) as being anticipated by Lineman et al. 
(U. S. Publication No.: 2003/0065942). 

3. Regarding Claim 1, Lineman teaches and describes a method for implementing a security 
risk assessment for a merchant entity having connectivity to a shared network, the method 
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comprising: receiving, from each of a plurality of payment-processing organizations, a set of 
security requirements defining protocols for implementing commercial transactions over the 
shared network using instruments identified with the payment-processing organization; 
developing a security test scheme having a set of test requirements whose satisfaction by the 
merchant entity is sufficient to ensure compliance with the sets of security requirements defined 
by each of the plurality of payment-processing organizations; and performing a remote scan of a 
network site maintained by the merchant entity on the shared network in support of shared- 
network commercial transactions with a security compliance authority server, the remote scan 
implementing at least a subset of the set of test requirements to evaluate compliance by the 
merchant entity ([0036-0039, and 0078-0096]). 

4. Regarding Claim 12, Lineman teaches and describes a method for assessing a security 
risk for a merchant entity having connectivity to a shared network, the method comprising: 
receiving information describing characteristics of the merchant entity from the merchant entity; 
determining which test requirements of a security test scheme to use in assessing the security risk 
for the merchant entity, wherein the security test scheme includes a set of test requirements 
whose satisfaction by the merchant entity is sufficient to ensure compliance with a plurality of 
sets of security requirements defined by a plurality of payment-processing organizations; and 
executing the security test scheme with a security compliance authority server in accordance 
with the determined test requirements ([0036-0039, and 0078-0096]). 
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5. Regarding Claim 21, Lineman teaches and describes a computer-readable storage 
medium having a computer-readable program embodied therein for direction operation of a 
security compliance authority server including a communications system, a processor, and a 
storage device, wherein the computer-readable program includes instructions for operating the 
security compliance authority server to assess a security risk for an merchant entity having 
connectivity to a shared network in accordance with the following: receiving, with the 
communications system, information describing characteristics of the merchant entity; 
determining, with the processor, which test requirements of a security test scheme to use in 
assessing the security risk for the merchant entity, wherein the security test scheme is stored on 
the storage device and includes a set of test requirements whose satisfaction by the merchant 
entity is sufficient to ensure compliance with a plurality of sets of security requirements defined 
by a plurality of payment-processing organizations; and executing, with the processor, the 
security test scheme in accordance with the determined test requirements ([0036-0039, and 0078- 
0096]). 



6. Claims 2-11, 13-20, and 22-24 are rejected applied as above rejecting Claims 1, 12, and 
21. Furthermore, Lineman teach and describe a method and apparatus for establishing a security 
policy wherein: 

As per Claim 2, further comprising transmitting a questionnaire to the merchant entity 
with the security compliance authority server, the questionnaire including queries whose truthful 
response identifies a level of compliance with at least some of the test requirements ([0084- 
0086]). 
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As per Claim 3, further comprising scheduling an on-site audit at the merchant entity 
with the security compliance authority server, the on-site audit being structured to follow a 
prescribed methodology for identifying a level of compliance with at least some of the test 
requirements ([0084-0088]). 

As per Claim 4, a satisfaction level of the test requirements required for compliance with 
the test requirements is dependent on a characteristic of the merchant entity ([0087-0091]). 

As per Claim 5, the characteristic comprises a shared-network transaction volume 
processed by the merchant entity over the shared network ([0090]). 

As per Claim 6, a frequency of performing the remote scan is dependent on a 
characteristic of the merchant entity ([0093-0094]). 

As per Claim 7, the characteristic comprises a shared-network transaction volume 
processed by the merchant entity over the shared network ([0090]). 

As per Claim 8, further comprising receiving information describing characteristics of the 
merchant entity from the merchant entity to limit parameters of the remote scan ([0092-0094]). 

As per Claim 9, further comprising generating a report summarizing a level of 
compliance by the merchant entity with the set of test requirements as determined from 
performing the remote scan ([0083-0096]). 

As per Claim 10, the merchant entity comprises an Internet merchant ([0025-0029]). 

As per Claim 1 1 . The method recited in claim 1 wherein the merchant entity comprises 
an Internet merchant gateway ([0025-0029]). 
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As per Claim 13, executing the security test scheme comprises performing a remote scan 
of a network site maintained by the merchant entity on the shared network in support of shared- 
network commercial transactions with the security compliance authority server ([0078-0088]). 

As per Claim 14, executing the security test scheme comprises scheduling an on-site 
audit at the merchant entity with the security compliance authority server, the on-site audit being 
structured to follow a prescribed methodology for identifying a level of compliance with at least 
some of the test requirements ([0078-0088]). 

As per Claim 15, executing the security test scheme comprises transmitting a 
questionnaire to the merchant entity with the security compliance authority server, the 
questionnaire including queries whose truthful response identifies a level of compliance with at 
least some of the test requirements ([0078-0088]). 

As per Claim 16, determining which test requirements of the security test scheme to use 
in assessing the security risk for the merchant entity is dependent on a characteristic of the 
merchant entity ([0087-0091]). 

As per Claim 17, the characteristic comprises a shared-network transaction volume 
processed by the merchant entity over the shared network ([0088-0090]). 

As per Claim 18, further comprising generating a report summarizing a level of 
compliance by the merchant entity with the set of determined test requirements as evaluated from 
executing the security test scheme ([0072-0091]). 

As per Claim 19, the merchant entity comprises an Internet merchant ([0025-0029]). 

As per Claim 20, the merchant entity comprises an Internet merchant gateway ([0025- 

0029]). 
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As per Claim 22, the instructions for executing the security test scheme comprise 
instructions for performing a remote scan of a network site maintained by the merchant entity on 
the shared network in support of shared-network commercial transactions ([0072-0091]). 

As per Claim 23, the instructions for executing the security test scheme comprise 
instructions for scheduling an on-site audit at the merchant entity ([0072-0091]). 

As per Claim 24, the instructions for executing the security test scheme comprise 
instructions for transmitting a questionnaire to the merchant entity ([0072-0091]). 

Conclusion 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to SYED ZIA whose telephone number is (571)272-3798. The 
examiner can normally be reached on 9:00 to 5:00. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Ayaz Sheikh can be reached on 571-272-3795. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 
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Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would 
like assistance from a USPTO Customer Service Representative or access to the automated 
information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 

sz 

February 12, 2009 
/Syed Zia/ 

Primary Examiner, Art Unit 243 1 



